OAS and LDAP or OAS and OID ???

1) Is OAS and LDAP a good combination or OAS and OID ???
how do we connect and make use of LDAP from OAS?
please let me know
thanks in advance

Get hold of Whitepaper 774783.1 LDAP Integration for Oracle Utilities Application Framework based products from My Support

Similar Messages

  • Single sign-on using Kerberos and Ldap

    I am currently setting up single sign-on using Kerberos for authentication and Ldap for authorization and information store.
    The setup includes several Solaris 8 & 9 workstations, a couple of SGI's, as well as a M$ terminal server farm, several WinXP desktops and their associated Active Directory.
    I am required to authenticate etc against the AD. (which has M$ SFU3.5 installed)
    I have the Kerberos authentication and part of the Ldap service working via pam & nss.
    ie. I can logon to the solaris worksatations using the AD username and password, mount the home directory from a M$ NFS server.
    BUT...
    id gives:- userID, groupID (primary group only)
    groups :- primary group only. (no secondary groups are listed)
    Question: what additional configuration information do I need in the pam, nss &/or ldap config files, so that I can list the secondary groups.
    Thanks in advance for any help.

    After evaluating (giving up on, and finally throwing out) the Sun Directory server it looks like we are going to endup with a similar solution..
    Sadly enough, the MS AD seems much more stable and easier to handle than Suns DS, kerberos and associated services.
    Anyway, currently we are evaluating a product called vintela ( www.vintela.com ), and it seems very promising; its easy, robust, stable and does what we require it to do, as well as more :) It comes with an additional nss module called 'vas', so you easily can retrieve data like hosts/groups from your AD.
    //M.

  • Creating OAAM users and groups in external LDAP i.e. OID

    Hi Experts,
    I am looking for the procedure to create OAAM users and groups in external LDAP i.e. OID.
    I am using 11gR2.
    Any pointers would be appreciated.
    Regards,
    Subin

    Check this link http://docs.oracle.com/cd/E27559_01/dev.1112/e27206/lcm.htm#autoId3

  • Servlet and JSP in OAS

    I'm developing web application with OAS
    4.0.8.1 and JDeveloper 3.0 and I want to call
    JSP from servlet using "RequestDispatcher".
    I downloaded JSP for OAS from www.olab.com.
    In the Release note, there is a description
    about RequestDispatcher, but I cannot
    understand about details.
    In what configuration can I use servlet and
    JSP together with RequestDispatcher. Anyone
    scceeded about that?
    null

    wan (guest) wrote:
    : Hi everyone,
    : I am using OAS 4.0.8 on Solaris 2.6. After viewing servlet
    : and JSP samples, I am kind of confuse whether OAS supports the
    : following options
    : 1. JSP
    : 2. servlet chaining
    : 3. running JDeveloper DB Servlet wizard
    : (oracle.jdeveloper.servlet.*) and Java Business Objects
    : (oracle.jbo.rt.cs)
    : Thank you for your time.
    I found a white paper 408newfead.pdf, that says under "Future
    Directions" that it will add jsp support. I read somewhere (I
    can't remember where exactly :( ) that said 4.0.8.1 would
    support
    JSPs. I don't know if this release is out yet.
    I wish Oracle would get with the times and put out a product that
    is consistent with the technology they are touting as the
    future.
    Having us download Suns server to run servlets and JSP is
    ridiculous for the worlds second largest software company!
    null

  • OAS 4.0.8.2 and External HTTP Listener (NES)

    We're about to upgrade to OAS 4.0.8.2 and want to find out which version of Netscape Listener that this OAS version is certified for (we used NES 3.62 for OAS 4.0.8.1)
    Thanks.

    Problem solved.
    I deleted OAS 4.0.8.2.0 and installed Web-to-go. Then I installed OAS 4.0.8.2.0.

  • Can 10g OAS run 10g Report server and 6i reports together?

    Re-posted from the OAS thread: Can 10g OAS run 10g Report server and 6i reports together?
    We have need to run 6i and 10g reports from the same physical server running OAS 10g.
    Are there issues / conflicts?
    There are hundreds of 6i reports called from many applications. Converting completely is a separate project on the books.
    The need is to utilize 10g graphs on this urgent project. The graphing in 6i has not gotten along here with RAC and other distributed architecture. Additionally, I believe the 6i graph runtime would have to be installed on each client workstation... again, hundreds.
    Thank you.

    Hello,
    You can install OAS 10g and Reports 6i on the same server as long as they are installed in different ORACLE_HOME ..
    Take car to the value of the variable PATH ..
    Regards

  • Best Practices for starting up and shutting down OAS

    A co-worker suggested that we set all processes on our Application Server to manual, and enter the startup sequence (opmn, em, etc) in autoexec.nt. Is this a best practice? Has anyone done this? I cant find any examples of this online. Does anyone see any advantages to doing this? I think they mentioned that this will ensure the OS loads the applications in the correct order.

    and set all the services to "Manual"? Yes
    you created a batch file and call it from autoexec.nt? my OS was W2000, anyway the batch was executed at system startup
    net start C:\oracle\midhome\bin\nmesrvc.exe
    net start C:\oracle\midhome\opmn\bin\opmn.exe -SI didn't use those commands, I used dcmctl to start http server and OC4J for infrastructure and midtier, after starting services.
    In other installations I also used opmnctl startall.
    Message was edited by:
    Paul M.

  • Weblogic Server 10.3.0 and LDAP authentication Issue

    Hi - I have configured my WebLogic Server 10.3.0 for LDAP authentication (OID = 10.1.4.3.0) and so far the authentication works fine but I am having issue in terms of authorization.
    I am not able to access the default web logic administrator console app using any of the LDAP user, getting Forbiden message.
    It appears to me that the Weblogic Server is not pulling out the proper groups from the LDAP where user belongs too.
    Can anyone please point me towards the right direction to get this resolved.
    Thanks,
    STEPS
    Here are my steps I have followed:
    - Created a group called Administrators in OID.
    - Created a test user call uid=myadmin in the OID and assigned the above group to this user.
    - Added a new Authentication Provider to the Weblogic and configured it what is required to communicate with OID (the config.xml file snipet is below)
    <sec:authentication-provider xsi:type="wls:ldap-authenticatorType">
    <sec:name>OIDAuthentication</sec:name>
    <sec:control-flag>SUFFICIENT</sec:control-flag>
    <wls:propagate-cause-for-login-exception>false</wls:propagate-cause-for-login-exception>
    <wls:host>pmpdeva-idm.ncr.pwgsc.gc.ca</wls:host>
    <wls:port>1389</wls:port>
    <wls:principal>cn=orcladmin</wls:principal>
    <wls:user-base-dn>ou=AppAdmins, o=gc, c=ca</wls:user-base-dn>
    <wls:credential-encrypted>removed from here</wls:credential-encrypted>
    <wls:group-base-dn>ou=IDM, ou=ServiceAccounts, o=gc, c=ca</wls:group-base-dn>
    </sec:authentication-provider>
    - Marked the default authentication provider as sufficient as well.
    - Re-ordered the authentication provide such that the OIDauthentication is first in the list and default one is the last.
    - Looking at the log file I see there are no groups returned for this user and that is the problem in my opinion.
    <LDAP Atn Login username: myadmin>
    <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
    <authenticate user:myadmin>
    <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
    <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
    <authenticate user:myadmin with DN:uid=myadmin,ou=AppAdmins,o=gc,c=ca>
    <authentication succeeded>
    <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
    <LDAP Atn Authenticated User myadmin>
    <List groups that member: myadmin belongs to>
    <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
    <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
    <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
    *<search("ou=IDM, ou=ServiceAccounts, o=gc, c=ca", "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))", base DN & below)>*
    *<Result has more elements: false>*
    <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
    <login succeeded for username myadmin>
    - I see the XACML RoleMapper getRoles() only returning the Anonymous role as oppose to Admin (because the OID user is a part of Administrators group in OID then it should be returning Admin as fars I can tell. Here is the log entry that shows that:
    <XACML RoleMapper getRoles(): returning roles Anonymous>
    - I did a ldap search and I found no issues in getting the results back:
    C:\>ldapsearch -h localhost -p 1389 -b"ou=IDM, ou=ServiceAccounts, o=gc, c=ca" -D cn=orcladmin -w "removed from here" (uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupOfUniqueNames)
    cn=Administrators,ou=IDM,ou=ServiceAccounts,o=gc,c=ca
    objectclass=groupOfUniqueNames
    objectclass=orclGroup
    objectclass=top
    END
    Here are the log entries:
    <1291668685624> <BEA-000000> <LDAP ATN LoginModule initialized>
    <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize delegated>
    <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login>
    <1291668685624> <BEA-000000> <LDAP Atn Login>
    <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle>
    <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will be delegated>
    <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will use NameCallback to retrieve name>
    <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[1] will be delegated>
    <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle will delegate all callbacks>
    <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle delegated callbacks>
    <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle got username from callbacks[0], UserName=myadmin>
    <1291668685624> <BEA-000000> <LDAP Atn Login username: myadmin>
    <1291668685624> <BEA-000000> <getConnection return conn:LDAPConnection { ldapVersion:2 bindDN:""}>
    <1291668685624> <BEA-000000> <authenticate user:myadmin>
    <1291668685624> <BEA-000000> <getDNForUser search("ou=people,ou=myrealm,dc=MBR_Domain", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
    <1291668685624> <BEA-000000> <getDNForUser search("ou=people,ou=myrealm,dc=MBR_Domain", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
    <1291668685624> <BEA-000000> <returnConnection conn:LDAPConnection { ldapVersion:2 bindDN:""}>
    <1291668685624> <BEA-000000> <[Security:090302]Authentication Failed: User myadmin denied>
    <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize LoginModuleClassName=weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl>
    <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize ClassLoader=java.net.URLClassLoader@facf0b>
    <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize created delegate login module>
    <1291668685624> <BEA-000000> <LDAP ATN LoginModule initialized>
    <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize delegated>
    <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login>
    <1291668685624> <BEA-000000> <LDAP Atn Login>
    <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle>
    <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will be delegated>
    <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[1] will be delegated>
    <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle will delegate all callbacks>
    <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle delegated callbacks>
    <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle did not get username from a callback>
    <1291668685624> <BEA-000000> <LDAP Atn Login username: myadmin>
    <1291668685624> <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
    <1291668685624> <BEA-000000> <authenticate user:myadmin>
    <1291668685624> <BEA-000000> <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
    <1291668685671> <BEA-000000> <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
    <1291668685671> <BEA-000000> <authenticate user:myadmin with DN:uid=myadmin,ou=AppAdmins,o=gc,c=ca>
    <1291668685671> <BEA-000000> <authentication succeeded>
    <1291668685686> <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
    <1291668685686> <BEA-000000> <LDAP Atn Authenticated User myadmin>
    <1291668685686> <BEA-000000> <List groups that member: myadmin belongs to>
    <1291668685686> <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
    <1291668685686> <BEA-000000> <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
    <1291668685686> <BEA-000000> <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
    <1291668685686> <BEA-000000> <search("ou=IDM, ou=ServiceAccounts, o=gc, c=ca", "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))", base DN & below)>
    <1291668685686> <BEA-000000> <Result has more elements: false>
    <1291668685686> <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
    <1291668685686> <BEA-000000> <login succeeded for username myadmin>
    <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login delegated, returning true>
    <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit>
    <1291668685686> <BEA-000000> <LDAP Atn Commit>
    <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit delegated, returning false>
    <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit>
    <1291668685686> <BEA-000000> <LDAP Atn Commit>
    <1291668685686> <BEA-000000> <LDAP Atn Principals Added>
    <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit delegated, returning true>
    <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login logged in>
    <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login subject=Subject:
         Principal: myadmin
    >
    <1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSIdentityServiceImpl.getIdentityFromSubject Subject: 1
         Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
    >
    <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principals)>
    <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) Principal=myadmin>
    <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalClassName=weblogic.security.principal.WLSUserImpl>
    <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) trying PrincipalValidator for interface weblogic.security.principal.WLSPrincipal>
    <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalValidator handles this PrincipalClass>
    <1291668685686> <BEA-000000> <Signed WLS principal myadmin>
    <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalValidator signed the principal>
    <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) All required PrincipalValidators signed this PrincipalClass, returning true>
    <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login identity=Subject: 1
         Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
    >
    <1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate authenticate succeeded for user myadmin, Identity=Subject: 1
         Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
    >
    <1291668685686> <BEA-000000> <weblogic.security.service.internal.UserLockoutServiceImpl$ServiceImpl.isLocked(myadmin)>
    <1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate login succeeded and myadmin was not previously locked out>
    <1291668685702> <BEA-000000> <Using Common RoleMappingService>
    <1291668685702> <BEA-000000> <PrincipalAuthenticator.validateIdentity>
    <1291668685702> <BEA-000000> <PrincipalAuthenticator.validateIdentity will use common security service>
    <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principals)>
    <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) Principal=myadmin>
    <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalClassName=weblogic.security.principal.WLSUserImpl>
    <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) trying PrincipalValidator for interface weblogic.security.principal.WLSPrincipal>
    <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalValidator handles this PrincipalClass>
    <1291668685702> <BEA-000000> <Validate WLS principal myadmin returns true>
    <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalValidator said the principal is valid>
    <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) One or more PrincipalValidators handled this PrincipalClass, returning true>
    <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principals) validated all principals>
    <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles Identity=Subject: 1
         Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
    >
    <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
    <1291668685702> <BEA-000000> <XACML RoleMapper getRoles(): input arguments:>
    <1291668685702> <BEA-000000> <     Subject: 1
         Principal = weblogic.security.principal.WLSUserImpl("myadmin")
    >
    <1291668685702> <BEA-000000> <     Resource: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
    <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp>
    <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp/*, httpMethod=GET>
    <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp/*>
    <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/*, httpMethod=GET>
    <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/*>
    <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=*.jsp, httpMethod=GET>
    <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=*.jsp>
    <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/, httpMethod=GET>
    <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/>
    <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console>
    <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp>
    <1291668685702> <BEA-000000> <     Parent: type=<app>, application=consoleapp>
    <1291668685702> <BEA-000000> <     Parent: type=<url>>
    <1291668685702> <BEA-000000> <     Parent: null>
    <1291668685702> <BEA-000000> <     Context Handler: >
    <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
    <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(AdminChannelUsers,[everyone,users]) -> false>
    <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
    <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:AdminChannelUser:, 1.0 evaluates to Deny>
    <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role AdminChannelUser: DENIED>
    <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
    <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(AppTesters,[everyone,users]) -> false>
    <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
    <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:AppTester:, 1.0 evaluates to Deny>
    <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role AppTester: DENIED>
    <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
    <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(everyone,[everyone,users]) -> true>
    <1291668685702> <BEA-000000> <primary-rule evaluates to Permit>
    <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Anonymous:, 1.0 evaluates to Permit>
    <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Anonymous: GRANTED>
    <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
    <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Monitors,[everyone,users]) -> false>
    <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
    <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Monitor:, 1.0 evaluates to Deny>
    <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Monitor: DENIED>
    <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
    <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Operators,[everyone,users]) -> false>
    <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
    <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Operator:, 1.0 evaluates to Deny>
    <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Operator: DENIED>
    <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
    <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(CrossDomainConnectors,[everyone,users]) -> false>
    <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
    <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:CrossDomainConnector:, 1.0 evaluates to Deny>
    <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role CrossDomainConnector: DENIED>
    <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
    <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Deployers,[everyone,users]) -> false>
    <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
    <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Deployer:, 1.0 evaluates to Deny>
    <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Deployer: DENIED>
    <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, SC=null, Value=[everyone,users]>
    <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Administrators,[everyone,users]) -> false>
    <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
    <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Admin:, 1.0 evaluates to Deny>
    <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Admin: DENIED>
    <1291668685702> <BEA-000000> <XACML RoleMapper getRoles(): returning roles Anonymous>
    <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles returning [ "Anonymous" ]>
    <1291668685702> <BEA-000000> <AuthorizationManager will use common security for ATZ>
    <1291668685702> <BEA-000000> <weblogic.security.service.WLSAuthorizationServiceWrapper.isAccessAllowed>
    <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Identity=Subject: 1
         Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
    >
    <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Roles=[ "Anonymous" ]>
    <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
    <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Direction=ONCE>
    <1291668685702> <BEA-000000> <XACML Authorization isAccessAllowed(): input arguments:>
    <1291668685702> <BEA-000000> <     Subject: 1
         Principal = weblogic.security.principal.WLSUserImpl("myadmin")
    >
    <1291668685702> <BEA-000000> <     Roles:Anonymous>
    <1291668685702> <BEA-000000> <     Resource: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
    <1291668685702> <BEA-000000> <     Direction: ONCE>
    <1291668685702> <BEA-000000> <     Context Handler: >
    <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:role, SC=null, Value=Anonymous>
    <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of([Admin,Operator,Deployer,Monitor],Anonymous) -> false>
    <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
    <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:resource:type@E@Furl@G@M@Oapplication@Econsoleapp@M@OcontextPath@E@Uconsole@M@Ouri@E@U, 1.0 evaluates to Deny>
    <1291668685702> <BEA-000000> <XACML Authorization isAccessAllowed(): returning DENY>
    <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed AccessDecision returned DENY>
    <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Results=[ DENY ]>
    <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
    <1291668685702> <BEA-000000> <DefaultAdjudicatorImpl.adjudicate results: DENY >
    <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Adjudictor returned false, returning that value>
    <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AuthorizationServiceImpl.isAccessAllowed returning adjudicated: false>

    Okay Finally the issue is resolved. Here is the findings to help others in case they ran into the same issue.
    The OID version that we are using is not returning the groups the way Weblogic is building the ldapsearch command. We captured the ldap traffic to go deeper and noticed the filters and attributes list that wls was asking. For example, the filter was like:
    "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))" cn
    its was the "cn" attribute that was causing the result set to be empty.
    from a command line we tried
    "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))" uniquemember
    and got the results back.
    Then we start looking into OID configuration and one of my coworker pointed me towards the orclinmemfiltprocess attributes in cn=dsaconfig entry and told me that they had lot of issues in the past in relation to this attribute.
    So as a test we removed the groupofuniquenames objectclass from the orclinmemfiltprocess attribute list and bingo it worked!
    Since we needed the groupofuniquenames in this list for performance/other reasons and decided to use a different objectclass for our groups instead i.e. orclGroup.
    Thanks everyone for showing interest on the problem and providing suggestions.

  • OIM and ldap sync

    I am using OIM 11gR2 and OID 11.1.1.6. Users and groups will be in OID, and OIM is
    required to do the provisioning of users. Plan is to use ldap sync between oid and oim.
    With ldap sync, all users will be available in OIM. And then in OIM can one do the
    provisioning of users. Is this approach ok? Or should we have OID connector? Or both?

    You can use LDAP Sync between OIM and OID. You dont need OID connector in this case.
    More here...
    Why would you use the LDAP Sync instead of the OID Connector?
    http://fusionsecurity.blogspot.com/2012/01/oim-11g-ldap-synchronization.html

  • OIM-OAM integration and LDAP Sync

    Hello All, I have deployed OIM 11g R2 and OAM/OVD 11.1.1.5. Now I need to enable LDAP sync for OIM-OAM integration and I'm not allowed to extend Oracle schema in AD. So I decided to use OUD for FMW schema and I have completed all those steps and OUD is up and running. Since my enterprise directory is AD and OUD is my FMW directory, I need to think of a split profile setting in OVD. I'm following this link http://fusionapplications-ateam.blogspot.com/2012/04/split-profiles-with-ad-and-oid-for.html for this deployment. I have OVD adapters configured for AD, OUD, Join view and changelog. The link does not clearly explain the steps in OIM for LDAP Sync.
    When I configure LDAP Sync in OIM, should I point the sync to the OUD users container?
    When and how this cn=shadowentries container will be used? I understand that the password (obattributes) are used for password management by OAM, but wondering where will that get stored in OUD?
    Please let me know your thoughts.
    Thanks.

    Hi,
    when I use url:
    http://idm1:14000/admin/faces/pages/Admin.jspx
    I get Access Manager login page, I can click links: register new user, reset password and I get correct OIM pages. But when I type xelsysadm and password I get error on the next page:
    Error 401--Unauthorized
    From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
    10.4.2 401 Unauthorized
    I can't logon to EM, OAMconsole, Weblogic etc. when the OAM is running. In OIM log I got errors from oam-agent: "User is not authorized to access resource, MinorCode: DENY, MajorCode: DENY".
    I have got user xelsysadm in OIM and in LDAP, when the OAM is not running I can login to OIM, create users in OIM (they appear in OID) etc. The user xelsysadm is added to group: OAMAdministrators. Also when I try to logon to OAM console (http://idm1:7001/oamconsole) using orcladmin name I get error: Access to administration console is restricted. But when I use weblogic username (the user is in OAMAdministrators group in OID) i can get OAMconsole.
    How can I change logon type in OIM?
    best
    mp
    Edited by: J23 on 2011-01-10 00:47

  • Using Dynamic Groups in Ldap for Accounts and Roles

    Does anyone currently use dynamic groups in LDAP for accounts and roles? I have set up a dynamic group in ldap (we are using OID Oracle internet Directory 10.1.2.0) , ldapsearch returns the correct list of unique names, but the account does not appear on my profile page when I log in to UCM (10.1.3). I cannot find any documentation so I'm asking myself if it is supported .....

    Thanks tim ... will check, but Oracle are saying :
    Oracle Universal Content Management - Version: 7.5.1
    Information in this document applies to any platform.
    Product: Content Server
    Version: 6.0
    Goal
    Can the Content Server's LDAP provider support, or can it be configured to support, dynamic LDAP groups?
    Solution
    The Content Server by itself is unable to process dynamic LDAP groups since the filter that is used cannot read dynamic groups. However, dynamic groups can still work in the Content Server if the permissions for the queried user are generated on the LDAP server side. For example: Novell and Active Directory both have this functionality.
    to which I have replied you suport 3rd party ldaps, but not your own? Shurely shome mishtake ..... if ldap search works in a seamless way, surely provider should too ....
    Billy, you may well be right, just got a cashflow problem over here !

  • LDAPSYNC Reconn Job: LDAP User Create and Update Reconciliation

    OIM 11.1.1.5.4 (BP4) libOVD, trusted data source oid 11.1.1.5.0
    I have the reconn job working " LDAP User Create and Update FULL Reconciliation"
    But the incremental job not working "LDAP User Create and Update Reconciliation"
    No errors found in the oim server logs
    the msg found with the indication of the execution of the job.
    Has anyone been successful with the job "LDAP User Create and Update Reconciliation"
    [2012-10-21T08:09:03.922-04:00] [oim_server1] [NOTIFICATION] [IAM-1020005] [oracle.iam.scheduler.impl.quartz] [tid: OIMQuartzScheduler_Worker-2] [userId: oiminternal] [ecid: 0000Je3Cacy3n3WjLxuHOA1GWyFa000002,0] [APP: oim#11.1.1.3.0] Job Listener, Job was executed QuartzJobListener.jobWasExecuted Description null FullName DEFAULT.LDAP User Create and Update Reconciliation Name LDAP User Create and Update Reconciliation
    TIA
    gadba

    has any one had that worked, for the incremental job of ldapsync recon ?

  • Problem with ADS and LDAP

    Problem with ADS and LDAP
    I have installed Win2000 + sp1 and ADS on a computer. This computer is PDC.
    After connection via LDAP I cann't get any object ( users or goups etc. ).
    I try connect to ADS by java ( JNDI ).
    When I use another clients of LDAP ( eg. Maxware Directory Explorer) I have
    the same problem - no objects.
    Can anybody help me?
    Grzegorz Pszona
    my e-mail: [email protected]

    Thanks a lot.
    Softerra's browser is really good.
    Thanks
    Rashmi
    "Anant Kadiyala" <[email protected]> wrote:
    >
    I used Softerra's LDAP browser. The browser is free. There is also a
    java baded
    LDAP browser from Univ of Michigan. I found the Softerra browser to be
    more easier
    to use.
    -anant
    "rashmi" <[email protected]> wrote:
    Hi,
    Can you please let me know which exact ADS tool that you used to examine
    the
    DN. I have Active Directory Users and Computers, Sites and Servicesand
    Domain
    and Trusts installed on my machine but I am not able to figure out how
    to get
    the DN?
    Thanks
    Rashmi
    for Stephen Davies <[email protected]> wrote:
    Grzegorz,
    I have had WLS6.1 & ADS working ok using LDAP V2. Mind you it did take
    a
    fair bit of messing around to get it going. MS does have a few oddities,
    for example the Administrators DN might look something like this:
    cn=Administrator,cn=Users,dc=eglobal,dc=net
    One tool that I found invaluable came with the additional support tools
    for Windows 2000. The 'Active Directory Administration Tool' made it
    easy to list the directory contents and examine the DNs.
    Regards,
    Steve
    Stephen Davies
    Principal Consultant
    eGlobal Services Pty. Ltd.
    Sydney, Australia
    Ph. +61 2 9283 1033
    http://www.eglobal.net/

  • SSO and LDAP no working after revokeing Territory selection choice of SSO

    Hi i have 9ias 9.0.2 infrastructure on win 2k box.
    earlier the territory selection choice was checked.
    but when i unchecked that option. and i logged out of SSO.
    Now the problem is i am not getting the SSO and Internet Directory home pages.
    and in Enterprise manager web page shows both are up.
    win 2k's task manager also shows the all the three process of Internet directory also running along with other essentianl processs.
    any clue....
    my whole work and intranet & extranet is not accessible due to this.... it will be great to me if i get any tip of hint...
    thanks a lot... in advance...
    regards
    samir([email protected])

    Well, this is certainly a case where I would be opening a tech support case. Your server is down, and you need help . .
    I'll try what I can for you.
    [18/Jun/2004:09:21:57 -0400] vipmail2 httpd[1560]: Account Debug: SASL [10.29.11.63] Cannot get namespace for domain vipmail2.kvcc.edu: Entry not found
    This likely means that you've missed another, earlier error in the log. I suspect that what may have happened, is that the USER that Messaging Server connects to LDAP with has had a password change, and you're no longer able to BIND to LDAP to make queries.
    I would start looking at your LDAP Access Log, and see what user you're attempting to BIND as, and see if that BIND is successful.
    The contents of msg.conf and your other file is useful as information, but is not a user-editable file. You must use configutil to make changes, as this data is stored in LDAP, and on server startup, the files will be rewritten with ldap data.

  • Open Directory and LDAP questions/difficulties

    Hi, my company is about to try out OSX Server to replace our old Irix file server. In order to do this we need to run through a number of tests in order to validate the idea. Basically, the test setup is a PM G5 running OSX Server 10.4 and a connected Mac and/or PC on the G5's second ethernet port as test clients. The first ethernet port is connected to the local subnet (192.168.1.x) and, ideally, the OSX Server should have its own subnet on the second port and serve DHCP, AFP and SMB to that port only, along with an OD shared directory providing both authentication and home directories for users. (later on, if all is successful, it will serve those services on the company subnet). DNS is supplied by a separate server on the subnet (DNS caching server running tinydns)
    I've read my way through the OSX Server documentation, and gathered all the information the Worksheet requires. The problems started occuring because we installed OSX Server over an OSX Client and broke off the Server Assistent, because we were worried at the time that turning on a Windows PDC would collide with our current (and very flaky) Samba server running on the Irix machine, and that DHCP might also collide with our current dhcp server.
    As a consequence, we tried to set it up via the Server Admin Panel, Network Prefs, and the Workgroup Manager, after having connected the second ethernet port of the G5.
    Doing this, and setting the OD service to an OD Master, along with a Search base of dc=hostname, dc=domain, dc=tld has not exactly changed much. The problem is that the info panel says that LDAP is not running. This confuses me no end. I thought OD was based upon LDAP. The server name in the Server Admin panel is hostname.local. And now I get to my real questions (finally):
    1.Would it be better to just wipe the machine and start again using the Assistent, and set up the ODMaster that way?
    2.When is an ODMaster not a local directory and when is it a shared directory (the hostname.local worries me)
    3.What services exactly need to be running for the ODMaster to function properly
    3.How do I configure the local subnet on the second port (should I use the Gateway Assistent or do it by hand), and how do I only serve those services to that port (do I do it by setting the router/gateway for those services as the IP of the second port or as localhost).
    4.Do I need to simply enable LDAPv3 on the clients and set the search path to automatic to get the clients to Autheticate?
    5.Do user and groups added to the hostname.local become part of the OD Domain?
    I'm sorry if I come across as a total newbie. I'm used to doing most of this on the commandline in Linux (except for LDAP, which is new to me), and the GUI. I have managed to entangle myself quite nicely in all this and could really use some pointers.
    Thanks in advance
    Theo.
    PowerBook G4   Mac OS X (10.4.7)  

    1. Starting with a freshly installed OS X Server is recommended, but start no services at first, you need working DNS with reverse zone for the server IP to run OD Master (and other services). If the server domain is to be different from the existing network domain name setup DNS in OS X for the test domain.
    2. I'm not sure I understand the question. LDAP/OD can be used on the server to "house" the user accounts but you don't have to bind computers to it.
    If you don't use the more advanced possibilities with LDAP/OD I don't think the clients even need to have LDAP configured to be able to authenticate.
    hostname.local = hostname and the standard Bonjour domainname .local ?
    3a. DNS, so that reverse lookup works for the hostname before setting up OD Master. OD needs a "true" domainname Bonjour isn't sufficient. Setup/use something like mydomain.private.
    3b. You don't need to do NAT, you can also route between two subnets (you would need a static route in your Internet router too).
    If you want NAT you can use the GW assistant. The interface on the top of the list in Network config (where you can add more/alias interfaces) is the "main" interface used as the "WAN"/"Internet" interface.
    4. If the clients are "standalone" (not bound to the OD domain or not using server based homefolders and such) I think you only need LDAP if you want the clients to be able to search for info in OD/LDAP. Not needed for authentication.
    You can send out LDAP info with DHCP.
    5. If you mean you add/enter users and groups to OD/LDAP directory it just means you can have different servers/clients using a central repository(?) for authentication purposes.
    If you add (bind) machines to the domain you can to control what clients can do locally (priviledges), which applications they can run and so forth.
    In /etc/smb.conf you can say which interface to use för samba (don't remember what to enter though). And if using the firewall (you must if you want NAT) you can stop Bonjour (mDNS - multicasts) from entering the "old" network if you like/need.

Maybe you are looking for